SSL certificate expired? Stuck on "Collecting Packages"

[traycerb]

Like other issues #8 Package Control is stuck on collecting the packages.

I looked at the console, and it mentions something about the SSL certificate:

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "D:\USER-SOFTWARE\WindowsUtilities\Keypirinha\portable\Profile\InstalledPackages\PackageControl.keypirinha-package\packagecontrol.py", line 455, in _get_available_packages
  File "D:\USER-SOFTWARE\WindowsUtilities\Keypirinha\portable\Profile\InstalledPackages\PackageControl.keypirinha-package\packagecontrol.py", line 435, in _get_available_packages
  File "D:\USER-SOFTWARE\WindowsUtilities\Keypirinha\python\site\keypirinha_net.py", line 40, in open
    fullurl, *args, data=data, timeout=timeout, **kwargs)
  File "lib\urllib\request.py", line 525, in open
  File "lib\urllib\request.py", line 543, in _open
  File "lib\urllib\request.py", line 503, in _call_chain
  File "lib\urllib\request.py", line 1360, in https_open
  File "lib\urllib\request.py", line 1319, in do_open
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1076)>
12:01:41.739 ** ERROR: Error from PackageControl.PackageControl.on_suggest: <class 'TypeError'>: 'NoneType' object is not iterable
Traceback (most recent call last):
  File "D:\USER-SOFTWARE\WindowsUtilities\Keypirinha\portable\Profile\InstalledPackages\PackageControl.keypirinha-package\packagecontrol.py", line 199, in on_suggest

I tried reinstalling manually (copied latest release into "InstalledPackages" directory, overwriting "old" version), but the error seems to persist.

[ueffel]

That's weird.

So the SSL Certificate from ue.spdns.de (were the package repository is hosted) is valid. In October of last year some Let's Encrypt Root Certificate expired and some windows systems (mine included) did not automatically got this certificate removed and somehow try to validate certificates to the wrong certificate chain. I don't know much about it but I noticed that already in Keypirinha/Keypirinha#527.
Edit: Also some has noticed the same in the chatroom https://gitter.im/Keypirinha/Keypirinha?at=625280120466b352a45d6b29

But that's not the weird part. The plugin should try the alternate repository @ https://ueffel.pythonanywhere.com/ the get the package list but that has to fail also in your case. I wonder why.

Could you do the following:

• enable debug mode of packagecontrol by using Keypirinha: Configure Package: PackageControl and entering debug = yes in the right file
  
• run PackageControl: Update Repository List
• open the keypirinha console Keypirinha: Console and copy the contents here?

After that you can solve your problem by deleting the expired certificate manually by following this: https://community.certifytheweb.com/t/upcoming-expiry-of-dst-root-ca-x3-and-r3-intermediate-for-lets-encrypt/1480/7
(and disable debug mode by setting debug = no or deleting the line)

[traycerb]

Hmm, it seems the problem is not related to Package Control, somehow something on my desktop computer.

I saw the chatroom message after I posted the issue, and I was fearful that was the cause. I tried (naively) trying various methods (Powershell, certlm.msc) to identify expired certificates, when you updated the issue and pointed me to the correct way to delete the expired certificate.

But that didn't work, it only changed the error message from certificate has expired to unable to get issuer certificate (see the second console log). That made me suspicious and I tried using my laptop, and Package Control seems to work just fine there (even though the same expired certs are present on it too). So I have no idea what's going on, but clearly it's nothing to do with Package Control itself. If you have any ideas, I'd certainly hear them, but will close this out. Sorry for not doing a little deeper digging before.

13:42:29.138 PackageControl.PackageControl(223): DEBUG: on_execute() item: PackageControl: Update Repository List, action: None
13:42:29.139 PackageControl.PackageControl(224): DEBUG: args:
13:42:29.139 PackageControl.PackageControl(401): DEBUG: Getting available packages forced
13:42:29.140 PackageControl.PackageControl(412): DEBUG: Last run was None
13:42:29.141 PackageControl.PackageControl(415): DEBUG: No available packages memory cached or its time to update, getting list from file cache
13:42:29.141 PackageControl.PackageControl(427): DEBUG: No available packages cached or its time to update, getting list from the net
13:42:29.142 PackageControl.PackageControl(433): DEBUG: Try to get list from https://ue.spdns.de/packagecontrol/packages.json
13:42:29.549 PackageControl.PackageControl(452): DEBUG: Error while obtaining the packages trying again...: Traceback (most recent call last):
  File "lib\urllib\request.py", line 1317, in do_open
  File "lib\http\client.py", line 1244, in request
  File "lib\http\client.py", line 1290, in _send_request
  File "lib\http\client.py", line 1239, in endheaders
  File "lib\http\client.py", line 1026, in _send_output
  File "lib\http\client.py", line 966, in send
  File "lib\http\client.py", line 1414, in connect
  File "lib\ssl.py", line 423, in wrap_socket
  File "lib\ssl.py", line 870, in _create
  File "lib\ssl.py", line 1139, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1076)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "D:\USER-SOFTWARE\WindowsUtilities\Keypirinha\portable\Profile\InstalledPackages\PackageControl.keypirinha-package\packagecontrol.py", line 435, in _get_available_packages
  File "D:\USER-SOFTWARE\WindowsUtilities\Keypirinha\python\site\keypirinha_net.py", line 40, in open
    fullurl, *args, data=data, timeout=timeout, **kwargs)
  File "lib\urllib\request.py", line 525, in open
  File "lib\urllib\request.py", line 543, in _open
  File "lib\urllib\request.py", line 503, in _call_chain
  File "lib\urllib\request.py", line 1360, in https_open
  File "lib\urllib\request.py", line 1319, in do_open
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1076)>
13:42:29.549 ** ERROR: PackageControl.PackageControl: Error while obtaining the packages trying again...
13:42:29.550 PackageControl.PackageControl(433): DEBUG: Try to get list from https://ueffel.pythonanywhere.com/packages.json
13:42:29.732 PackageControl.PackageControl(452): DEBUG: Error while obtaining the packages trying again...: Traceback (most recent call last):
  File "lib\urllib\request.py", line 1317, in do_open
  File "lib\http\client.py", line 1244, in request
  File "lib\http\client.py", line 1290, in _send_request
  File "lib\http\client.py", line 1239, in endheaders
  File "lib\http\client.py", line 1026, in _send_output
  File "lib\http\client.py", line 966, in send
  File "lib\http\client.py", line 1414, in connect
  File "lib\ssl.py", line 423, in wrap_socket
  File "lib\ssl.py", line 870, in _create
  File "lib\ssl.py", line 1139, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1076)

During handling of the above exception, another exception occurred:

After UnTrusting and Disabling certs for all purposes:

14:14:59.256 PackageControl.PackageControl(289): DEBUG: repo_url: https://ue.spdns.de/packagecontrol/packages.json
14:14:59.256 PackageControl.PackageControl(292): DEBUG: alt_repo_url: https://ueffel.pythonanywhere.com/packages.json
14:14:59.256 PackageControl.PackageControl(298): DEBUG: installed_packages: ['keypirinha-currency', 'keypirinha-cvt', 'Keypirinha-Time', 'Keypirinha-PackageControl']
14:14:59.256 PackageControl.PackageControl(301): DEBUG: autoupdate: True
14:14:59.256 PackageControl.PackageControl(304): DEBUG: update_interval: 12
14:14:59.256 PackageControl.PackageControl(348): DEBUG: Checking installed packages
14:14:59.272 PackageControl.PackageControl(353): DEBUG: Filesystem packages: ['Currency.keypirinha-package', 'Cvt.keypirinha-package', 'PackageControl.keypirinha-package', 'Time.keypirinha-package', 'WindowsApps.keypirinha-package']
14:14:59.272 PackageControl.PackageControl(388): DEBUG: Getting package: keypirinha-currency
14:14:59.272 PackageControl.PackageControl(401): DEBUG: Getting available packages
14:14:59.272 PackageControl.PackageControl(412): DEBUG: Last run was None
14:14:59.272 PackageControl.PackageControl(415): DEBUG: No available packages memory cached or its time to update, getting list from file cache
14:14:59.272 PackageControl.PackageControl(427): DEBUG: No available packages cached or its time to update, getting list from the net
14:14:59.272 PackageControl.PackageControl(433): DEBUG: Try to get list from https://ue.spdns.de/packagecontrol/packages.json
14:14:59.676 Apps.EnvPath: Cataloged 851 items in 2.4 seconds
14:15:00.017 PackageControl.PackageControl(452): DEBUG: Error while obtaining the packages trying again...: Traceback (most recent call last):
  File "lib\urllib\request.py", line 1317, in do_open
  File "lib\http\client.py", line 1244, in request
  File "lib\http\client.py", line 1290, in _send_request
  File "lib\http\client.py", line 1239, in endheaders
  File "lib\http\client.py", line 1026, in _send_output
  File "lib\http\client.py", line 966, in send
  File "lib\http\client.py", line 1414, in connect
  File "lib\ssl.py", line 423, in wrap_socket
  File "lib\ssl.py", line 870, in _create
  File "lib\ssl.py", line 1139, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1076)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "D:\USER-SOFTWARE\WindowsUtilities\Keypirinha\portable\Profile\InstalledPackages\PackageControl.keypirinha-package\packagecontrol.py", line 435, in _get_available_packages
  File "D:\USER-SOFTWARE\WindowsUtilities\Keypirinha\python\site\keypirinha_net.py", line 40, in open
    fullurl, *args, data=data, timeout=timeout, **kwargs)
  File "lib\urllib\request.py", line 525, in open
  File "lib\urllib\request.py", line 543, in _open
  File "lib\urllib\request.py", line 503, in _call_chain
  File "lib\urllib\request.py", line 1360, in https_open
  File "lib\urllib\request.py", line 1319, in do_open
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1076)>
14:15:00.017 ** ERROR: PackageControl.PackageControl: Error while obtaining the packages trying again...
14:15:00.019 PackageControl.PackageControl(433): DEBUG: Try to get list from https://ueffel.pythonanywhere.com/packages.json
14:15:00.263 PackageControl.PackageControl(452): DEBUG: Error while obtaining the packages trying again...: Traceback (most recent call last):
  File "lib\urllib\request.py", line 1317, in do_open
  File "lib\http\client.py", line 1244, in request
  File "lib\http\client.py", line 1290, in _send_request
  File "lib\http\client.py", line 1239, in endheaders
  File "lib\http\client.py", line 1026, in _send_output
  File "lib\http\client.py", line 966, in send
  File "lib\http\client.py", line 1414, in connect
  File "lib\ssl.py", line 423, in wrap_socket
  File "lib\ssl.py", line 870, in _create
  File "lib\ssl.py", line 1139, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1076)

[ueffel]

Interesting: the ueffel.pythonanywhere.com domain seems to have the same issue, but I didn't experience that when i had the issue. Thanks for providing the debug logs.

[kschutter]

Was there any solution found for the unable to get issuer certificate error? That is where I am now stuck. Same issue for other keypirinha plugins that require updating via the internet (asky for me)

[traycerb]

i haven't been able to get it to work, i fear i may have to re-install

[ueffel]

Maybe try to update Root CAs?
http://woshub.com/updating-trusted-root-certificates-in-windows-10/#h2_3 See section "Certutil: Download Trusted Root Certificates from Windows Update"

[sparevermicelli]

Hi what is the solution as this issue is closed?
I am currently facing the same problem [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired
I don't see any certificates as mentioned in https://community.certifytheweb.com/t/upcoming-expiry-of-dst-root-ca-x3-and-r3-intermediate-for-lets-encrypt/1480/7

[ueffel]

The solution is repair your local root certificates as there is nothing I can do on my end to fix the issue. (Because the domains have valid certificate chains)

The already mentioned links:

• https://community.certifytheweb.com/t/upcoming-expiry-of-dst-root-ca-x3-and-r3-intermediate-for-lets-encrypt/1480/7
• http://woshub.com/updating-trusted-root-certificates-in-windows-10/#h2_3

are the only thing I have found, that help.

Maybe you can share a complete stacktrace?

[scottmmjackson]

This is still an issue and as far as I can tell updating root CAs doesn't work because it's an issue with Keypirinha's embedded python interpreter not updating the root CA store. So a pristine environment works fine but an older environment doesn't, even as browsers and the openssl command line tool use a valid OS root store.

I'm not sure what the answer is here but it's extremely frustrating.

[ueffel]

The python interpreter of keypirinha does not have his own root ca store. It should always use the OS store. In my case repairing the OS store did help me instantly.

[scottmmjackson]

@ueffel not sure what to tell you. openssl works. browsers work. my system python 3.10 interpreter works. my other system's keypirinha python interpreter works. it's literally just this specific application on this specific system that's broken.

I should clarify that I've run through the Root CA update steps and there is nothing wrong.

[Geobert]

I'm having this issue too on one computer and not the other. So it's on my side but I've followed the instructions

certutil.exe -generateSSTFromWU C:\PS\roots.sst
$sstStore = ( Get-ChildItem -Path C:\ps\roots.sst )
$sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root

everything executed properly, reboot, still have the issue.

Do we know which certificate chain is used? So I can check the correct cert to update/remove/whatever

EDIT: I've installed R3 from https://letsencrypt.org/certificates/ and it's working now

[ueffel]

should be like this.

The wrong chain has a "DST Root CA X3" certificate in it, i think

[LinuxOnTheDesktop]

I have the same problem - a hang on 'collecting packages'. The solution(s) presented on this page seem arcane and I had trouble at the first step. That first step - I took it from this page, which was linked above - was certutil.exe -generateSSTFromWU C:\PS\roots.sst. That command throws an error because - or rather unless - the PS directory exists. So one needs to create the directory or modify the file. (The roots.sst file need not exist. For, the command creates that file.) Yet, I suspect that actually that first step was not needed and I take it from a post above that all I need to do is, somehow, to import the certificate on this page. But how does one do that, please?